adva_rbac 0.0.1

data/db/migrate/20080402000006_create_role_tables.rb

@@ -0,0 +1,13 @@
+class CreateRoleTables < ActiveRecord::Migration
+  def self.up
+    create_table :roles do |t| 
+      t.references :user # TODO reference a membership instead?
+      t.references :context, :polymorphic => true
+      t.string     :type, :limit => 25
+    end
+  end
+
+  def self.down
+    drop_table :roles
+  end
+end

data/db/migrate/20090720132900_migrate_roles_table_to_new_rbac.rb

@@ -0,0 +1,15 @@
+class MigrateRolesTableToNewRbac < ActiveRecord::Migration
+  def self.up
+    rename_column :roles, :type, :name
+    add_column :roles, :ancestor_context_id, :integer
+    add_column :roles, :ancestor_context_type, :string
+    Rbac::Role.scoped.each { |role| role.update_attribute(:name, role.name.demodulize.underscore) }
+  end
+
+  def self.down
+    Role.scoped.each { |role| role.update_attribute(:name, "Rbac::Role::#{role.name.camelize}") }
+    remove_column :roles, :ancestor_context_id
+    remove_column :roles, :ancestor_context_type
+    rename_column :roles, :name, :type
+  end
+end

data/lib/action_controller/guards_permissions.rb

@@ -0,0 +1,77 @@
+# TODO move to some rails specific adapter in Rbac?
+
+module ActionController
+  class RoleRequired < SecurityError
+    attr_accessor :required_role
+    def initialize(role_types, action, type)
+      @required_roles = role_types
+      @action = action
+      @type = type
+      super I18n.t(:'adva.roles.errors.messages.role_required', :roles => role_types)
+    end
+  end
+
+  module GuardsPermissions
+    def self.included(base)
+      base.extend ClassMethods
+    end
+
+    module ClassMethods
+      def guards_permissions(type, options = {})
+        return if guards_permissions?
+        include InstanceMethods
+        extend ClassMethods
+
+        helper_method :has_permission?
+
+        class_attribute :action_map
+        set_action_map options.except(:only, :except)
+
+        before_filter(options.slice(:only, :except)) do |controller|
+          controller.guard_permission(type)
+        end
+      end
+
+      def guards_permissions?
+        included_modules.include? InstanceMethods
+      end
+    end
+
+    module ClassMethods
+      # maps controller actions to (virtual) model actions that are referenced
+      # by the roles system
+      def set_action_map(map)
+        self.action_map = { :index => :show, :edit => :update, :new => :create }
+        map.each do |target, actions|
+          Array(actions).each{|action| self.action_map[action] = target }
+        end
+      end
+    end
+
+    module InstanceMethods
+      def guard_permission(*args)
+        type = args.pop
+        action = args.pop || map_from_controller_action
+
+        # TODO :show permissions do not make any sense right now, so we
+        # completely deactivate them
+        # return if action.to_sym == :show
+
+        unless has_permission?(action, type)
+          role_types = current_resource.authorizing_role_types_for(:"#{action} #{type}")
+          raise RoleRequired.new(role_types, action, type)
+        end
+      end
+
+      def has_permission?(action, type)
+        action = :"#{action} #{type}"
+        user = current_user || User.anonymous
+        user.has_permission?(action, current_resource)
+      end
+
+      def map_from_controller_action
+        action_map[params[:action].to_sym] || params[:action].to_sym
+      end
+    end
+  end
+end

data/lib/adva_rbac.rb

@@ -0,0 +1,18 @@
+# require "adva_rbac/version"
+require "rails"
+
+require "rbac"
+require "rbac/role_type/static"
+# require "active_record/acts_as_role_context"
+require "action_controller/guards_permissions"
+
+module AdvaRbac
+  class Engine < Rails::Engine
+    initializer "adva_rbac.init" do
+      ActiveRecord::Base.send :include, Rbac::ActsAsRoleContext
+      ActionController::Base.send :include, ActionController::GuardsPermissions
+
+      Rbac::RoleType.implementation = Rbac::RoleType::Static
+    end
+  end
+end

data/lib/adva_rbac/version.rb

@@ -0,0 +1,3 @@
+module AdvaRbac
+  VERSION = "0.0.1"
+end

data/lib/permission_map.rb

@@ -0,0 +1,70 @@
+# TODO - muuuuch of this could be done so much nicer
+
+
+# Manages permissions that map actions to roles.
+#
+# Ensures the given actions are arrays, invert the role => action hash
+# to a action => role hash while expanding the actions array to keys,
+# and expand the action key :all to the default actions.
+#
+# E.g.:
+#
+#   :comment => {:user => :create, :admin => [:edit, :delete]}
+#
+# becomes:
+#
+#   :comment => {:create => :user, :edit => :admin, :delete => :admin}
+
+class PermissionMap < Hash
+  def default_actions
+    [:show, :create, :update, :destroy]
+  end
+
+  def initialize(permissions)
+    permissions.clone.each do |type, roles|
+      roles.each do |role, actions|
+        actions = actions == :all ? default_actions : Array(actions)
+        set type, Hash[*(actions.zip [role] * actions.size).flatten]
+      end
+    end
+  end
+
+  def set(type, permissions)
+    self[type] ||= {}
+    self[type].update permissions
+  end
+
+  def sorted
+    sorted = ActiveSupport::OrderedHash.new
+    sorted_keys.each do |type|
+      roles = self[type]
+      # put default_actions to the front, sort the rest
+      # then only use keys that were present in the original key set
+      keys = default_actions + sorted_keys(roles.keys - default_actions) & roles.keys
+      (keys).each do |key|
+        sorted[type] ||= ActiveSupport::OrderedHash.new
+        sorted[type][key] = self[type][key]
+      end
+    end
+    sorted
+  end
+
+  def sorted_keys(keys = nil)
+    keys ||= self.keys
+    keys.map(&:to_s).sort.map(&:to_sym)
+  end
+
+  def update(other)
+    merged = self.dup
+    other.each do |type, permissions|
+      permissions.each do |action, role|
+        type = type.to_sym
+        action = action.to_sym
+        self[type] ||= {}
+        self[type][action] ||= {}
+        self[type][action] = role.to_sym
+      end
+    end
+    merged
+  end
+end

data/lib/rbac.rb

@@ -0,0 +1,26 @@
+require 'rbac/acts_as_role_context'
+require 'rbac/acts_as_role_subject'
+require 'rbac/context'
+require 'rbac/subject'
+require 'rbac/role_type'
+require 'rbac/role'
+
+module Rbac
+  class UndefinedRoleType < IndexError
+    def initialize(name)
+      super "Could not find role type named #{name}"
+    end
+  end
+
+  class AuthorizingRoleNotFound < IndexError
+    def initialize(context, action)
+      super "Could not find role(s) for #{action} (on: #{context.inspect})"
+    end
+  end
+
+  class NoImplementation < RuntimeError
+    def initialize
+      super "No implementation configured: Rbac::RoleType.implementation"
+    end
+  end
+end

data/lib/rbac/acts_as_role_context.rb

@@ -0,0 +1,44 @@
+module Rbac
+  module ActsAsRoleContext
+    def self.included(base)
+      base.extend ActMacro
+    end
+
+    module ActMacro
+      def acts_as_role_context(options = {})
+        return if acts_as_role_context?
+
+        include InstanceMethods
+        
+        serialize :permissions
+        cattr_accessor :role_context_class
+
+        self.role_context_class = begin
+          "#{self.name}::RoleContext".constantize
+        rescue NameError
+          Rbac::Context.define_class(self, options)
+        end
+      end
+
+      def acts_as_role_context?
+        included_modules.include?(Rbac::ActsAsRoleContext::InstanceMethods)
+      end
+    end
+
+    module InstanceMethods
+      delegate :authorizing_role_types_for, :to => :role_context
+      
+      # returns the role context wrapper associated to the domain object (e.g. Site)
+      def role_context
+        @role_context ||= self.role_context_class.new(self)
+      end
+      
+      # attribute reader that returns a hash as a default
+      def permissions
+        read_attribute(:permissions) || {}
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.send(:include, Rbac::ActsAsRoleContext)

data/lib/rbac/acts_as_role_subject.rb

@@ -0,0 +1,65 @@
+module Rbac
+  module ActsAsRoleSubject
+    def self.included(base)
+      base.extend ActMacro
+    end
+
+    module ActMacro
+      def acts_as_role_subject(options = {})
+        return if acts_as_role_subject?
+
+        include InstanceMethods
+
+        serialize :permissions
+        cattr_accessor :role_subject_class
+
+        self.role_subject_class = begin
+          "#{self.name}::RoleSubject".constantize
+        rescue NameError
+          Rbac::Subject.define_class(self, options)
+        end
+      end
+
+      def acts_as_role_subject?
+        included_modules.include?(Rbac::ActsAsRoleContext::InstanceMethods)
+      end
+    end
+
+    module InstanceMethods
+      # returns the role subject wrapper associated to the domain object (e.g. User)
+      def role_subject
+        @role_subject ||= self.role_subject_class.new(self)
+      end
+
+      def has_role?(*args)
+        role_subject.has_role?(*args)
+      end
+
+      def has_global_role?(type, site = nil)
+        return self.roles.any? do |role|
+          (role.name == "superuser" && type == :superuser ||
+          role.name == type.to_s && role.context_type == "Site" && role.context_id == site.id)
+        end
+      end
+
+      def has_permission_for_admin_area?(site)
+        permitted_roles = [:superuser, :admin, :moderator, :author, :designer]
+        return self.roles.any? do |role|
+          permitted_roles.any? do |permitted_role|
+            self.has_global_role?(permitted_role, site)
+          end
+        end
+      end
+
+      def has_permission?(*args)
+        role_subject.has_permission?(*args)
+      end
+
+      def has_explicit_role?(*args)
+        role_subject.has_explicit_role?(*args)
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.send(:include, Rbac::ActsAsRoleSubject)

data/lib/rbac/context.rb

@@ -0,0 +1,85 @@
+module Rbac
+  class Context
+    mattr_accessor :default_permissions
+    self.default_permissions = {}
+
+    class << self
+      def root
+        @root ||= Base.new(self)
+      end
+      
+      def define_class(model, options)
+        Class.new(Base).tap do |klass|
+          model.const_set('RoleContext', klass).class_eval do
+            self.parent_accessor = options.delete(:parent)
+            self.options = options
+          end
+        end
+      end
+    end
+    
+    class Base
+      class_attribute :parent_accessor, :options, :children
+      self.options  = {}
+      self.children = []
+      
+      attr_accessor :object
+
+      def initialize(object = nil)
+        self.object = object
+      end
+
+      def authorizing_role_types_for(action)
+        raise ArgumentError.new("No action given (on: #{self.inspect})") unless action
+        result = self_and_parents.inject([]) do |types, context|
+          types += Array(context.permissions[action.to_sym])
+        end
+        raise(AuthorizingRoleNotFound.new(self, action)) if result.empty?
+        result
+      end
+
+      def expand_roles_for(action)
+        types = build_role_types_for(action)
+        contexts = self_and_parents - [Rbac::Context.root]
+
+        contexts.collect do |context|
+          types.collect { |type| type.expand(context.object) }
+        end.flatten.uniq
+      end
+
+      def include?(context)
+        return false unless context
+        context = context.role_context unless context.is_a?(Base)
+        begin 
+          return true if self.object == context.object
+        end while context = context.parent
+        false
+      end
+
+      def self_and_parents
+        [self] + (parent ? parent.self_and_parents : [])
+      end
+
+      def parent
+        if parent_accessor and parent = object.send(parent_accessor)
+          parent.role_context
+        elsif self != Rbac::Context.root
+          Rbac::Context.root # might want to return a fake domain model here
+        end
+      end
+
+      protected
+
+        def permissions
+          return Rbac::Context.default_permissions if self.class == Rbac::Context::Base
+          @permissions ||= (object.try(:permissions) || {}).symbolize_keys
+        end
+
+        def build_role_types_for(action)
+          authorizing_role_types_for(action).collect do |type|
+            Rbac::RoleType.build(type).self_and_masters
+          end.flatten.compact
+        end
+    end
+  end
+end

data/lib/rbac/role.rb

@@ -0,0 +1,10 @@
+module Rbac
+  class Role < ActiveRecord::Base
+    belongs_to :subject, :polymorphic => true
+    belongs_to :context, :polymorphic => true
+
+    def has_context?
+      context_type && context_id
+    end
+  end
+end

data/lib/rbac/role_type.rb

@@ -0,0 +1,73 @@
+module Rbac
+  module RoleType
+    mattr_accessor :implementation
+
+    class << self
+      def build(*args)
+        implementation.build(*args)
+      end
+      
+      def types
+        implementation.all
+      end
+      
+      def implementation
+        @@implementation || raise(NoImplementation.new)
+      end
+    end
+    
+    def name
+      super.split('::').last.underscore
+    end
+    
+    def expand(object)
+      expansion = [name]
+      expansion += [object.class.to_s.underscore, object.id] if requires_context?
+      expansion.join('-')
+    end
+    
+    def requires_context?
+      true
+    end
+
+    def self_and_masters
+      [self] + all_masters
+    end
+
+    def masters
+      []
+    end
+
+    def all_masters
+      masters + masters.map(&:all_masters).flatten.uniq
+    end
+
+    def self_and_minions
+      [self] + all_minions
+    end
+
+    def minions
+      []
+    end
+
+    def all_minions
+      minions + minions.map(&:all_minions).flatten.uniq
+    end
+
+    def minion_of?(name)
+      self_and_masters.any? { |type| type.name == name }
+    end
+
+    def included_in?(role, context = nil)
+      minion_of?(role.name) && (!role.context || role.context.role_context.include?(context))
+    end
+
+    def granted_to?(subject, context = nil, options = {})
+      # this implementaion makes the assumption that subject implements an roles
+      # method returning objects that carry the role's type/name and context
+      !!subject.roles.detect do |role|
+        options[:explicit] ? self.name == role.name : self.included_in?(role, context)
+      end
+    end
+  end
+end